Scary Facts on D3 Account Hacking

Posted By: May 27, 2012

A Bliz tech guy named Kaltonis made several very candid and informative replies to a number of player questions about all the account “hacking” we’ve seen lately, and I’d strongly recommend that everyone concerned about this issue read it. The whole thread is quoted on the click through, but here is my summary of the key points and an excerpt to draw you in.

1) The computers of every “hacked” account he’s looked at have been absolutely riddled with malware and backdoor programs.

2) The gold and item selling companies who steal account passwords are very good at what they do, and can exploit any vulnerability. He mentions another tech guy who didn’t update his Adobe Flash Player for a week after a security fix was published, and got his WoW account stripped via a backdoor inserted through that orifice.

3) With so many thieves trying to many ways to get your stuff, even computer security experts can eventually get an account compromised, and the mobile and physical authenticator are absolutely the best way to preserve your account security. Bliz sells the physical one at cost, much less than what most banks charge customers for them, since it’s something they desperately want players to use.

4) There’s a lot of confusion over the dial-up / SMS authenticator, since it’s not very effective, and it doesn’t yet work at all with Diablo. Bliz is looking at changing the name to something other than “authenticator” since it’s misleading fans.

5) No one with a mobile or physical authenticator on their D3 account has been hacked thus far. That has happened a few times over the years of WoW, but it requires exceptional circumstances. (Such as a hacker having so much access to your machine that they can read the authenticator number you enter, lock you out of logging on, and then log into your account themselves before the authenticator code expires.)

The “hacking” (“compromising” is probably a better word, since no real “hacking” is going on) being seen in D3 is no different than what World of Warcraft players have been seeing for five years or so. The sad thing is, if no one bought game currency (gold, credits, whatever) from these third-party companies, than essentially no account compromises would be occurring. Compromises not done by gold selling companies are very rare indeed; they strip one player to sell to another. Unfortunately, they make a lot of money off of the practice and so they have a lot of resources to use to try to get your password from you directly, or through your computer. Some of their poorly translated phishing e-mails may be laughable, but their trojans, infected websites, etc. are not funny at all.

If you have the physical or mobile authenticator (both of which major banks use and charge $30+ for) the chances of you being compromised are very, very small. I’ve personally examined the MSInfo files of nearly all of the handful of people who have truly been compromised through an authenticator, and the sheer number of backdoor programs and other malware on their systems has been mind boggling. Probably not coincidentally, these same people were also running a disturbing number of file-sharing and download programs, including ones which are commonly known to not be safe.

…There’s absolutely nothing shameful about getting compromised, these companies are good at what they do. Heck, the former head of Blizzard Customer Service had his account compromised. It’s because of how devious and high-tech the gold-selling companies have gotten that we implemented the physical and mobile authenticators. We can’t physically go to everyone’s computer and make it safe, so we’ve provided a tool that does it for you.

As understandably bitter as some players are about having their accounts hacked, it seems clear that Bliz is doing all they can to stop it. Even aside from them wanting their fans to have a good gaming experience, hacked accounts are terrible publicity, upset fans to the point of quitting, and cost Blizzard thousands of man-hours in support. There is no upside to Blizzard in their customers getting ripped off, and they’d very much like it not to happen.

Here’s the full thread.

Hack Refund

My refund is being processed, thank you blizzard. And if you all are correct, and it is the players fault for being hacked (and SMS authentication / Dial In Authentication is useless to prevent it), then congratulations to the hackers for orchestrating the worlds most efficient high profile hack / exploit against an online game that I have ever seen. Great hack! Take responsibility and collect your glory, because whoever claims this one will enjoy a pretty high profile.

The “hacking” (“compromising” is probably a better word, since no real “hacking” is going on) being seen in D3 is no different than what World of Warcraft players have been seeing for five years or so. The sad thing is, if no one bought game currency (gold, credits, whatever) from these third-party companies, than essentially no account compromises would be occurring. Compromises not done by gold selling companies are very rare indeed; they strip one player to sell to another. Unfortunately, they make a lot of money off of the practice and so they have a lot of resources to use to try to get your password from you directly, or through your computer. Some of their poorly translated phishing e-mails may be laughable, but their trojans, infected websites, etc. are not funny at all.

If you have the physical or mobile authenticator (both of which major banks use and charge $30+ for) the chances of you being compromised are very, very small. I’ve personally examined the MSInfo files of nearly all of the handful of people who have truly been compromised through an authenticator, and the sheer number of backdoor programs and other malware on their systems has been mind boggling. Probably not coincidentally, these same people were also running a disturbing number of file-sharing and download programs, including ones which are commonly known to not be safe.

Again, compromising game accounts is a big business in some countries. They have people on their payroll who spread false rumors of “hacked through my authenticator” just to try to discourage people from using them. We charge $6.50 for the physical authenticator, because that’s exactly what it costs us to make them. The mobile one is free because we don’t have to pay a factory to build them. Use them, and enjoy your gaming without someone mucking with your stuff.

The post on the main page said that NONE of the hacking victims had authenticators. Are you saying that there were hacked accounts with an authenticator? If that is the case maybe you should have the security post updated to avoid BLATANTLY LYING to your customers.
Sorry for not being more specific on that. The hacks I was referring to were from the last five years of WoW compromises, not the current D3 compromises. None of the D3 compromises that we’ve checked have actually had authenticators, despite their claims.

I don’t buy gold or items. I don’t run unsafe programs. I bought a new computer exclusively for D3. I have the authenticator. I have Norton [email protected] edition and scan daily. I dont click links. I don’t read spam email. I don’t download questionable content. I don’t buy anything from 3rd parties.

I got hacked 2 days ago. How’d that happen, bliz?
I just checked your account, and it has never had either the physical or mobile authenticator attached to it. You did have the dial-in authenticator attached, but it’s level of security is far below the physical and mobile. It’s meant to be used in addition to the main authenticator, not in place of.

Hmmmmm.

I’ll bring up the idea of renaming the dial-in authenticator to my management. At the very least, maybe remove “authenticator” from its name so that people do not get it confused with the main authenticator (physical or mobile).

The authenticators my bank hands out are completely f.r.e.e.
That’s definitely cool. You should commend your bank then as some of them charge waaaaaaay too much in my opinion.

What is the concrete cause of the hackings? I can’t believe that there are so much cases, i highly doubt most of those can be attributed to the victim’s downloading apps and stuff.
Well, the cause is people desiring a shortcut in their games by buying gold. If you mean the technical cause, as I mentioned previously the gold selling companies use a vast array of methods. A good friend of mine is a long time network admin (and a very good one at that), who had decided to not use an authenticator because he’d never had any security issues with his computer over the years. Well, an Adobe Flash vulnerability popped up a couple years ago, and he procrastinated applying the update by a whole week. As you can probably guess by the fact that I’m relating this anecdote, his WoW account was compromised and stripped because of that one week window.

There’s absolutely nothing shameful about getting compromised, these companies are good at what they do. Heck, the former head of Blizzard Customer Service had his account compromised. It’s because of how devious and high-tech the gold-selling companies have gotten that we implemented the physical and mobile authenticators. We can’t physically go to everyone’s computer and make it safe, so we’ve provided a tool that does it for you.

I’ve been a computer tech for a long time, and I’ve never had a single malicious security breach on any of my computers that I’m aware of, but I attached one of the very first batches of physical authenticators to my account. Why? Because no matter how good I am, sooner or later they were going to get me. But now, they can’t.

Are you claiming that I did not have both the dial in auth and the SMS auth?
No, you had those. But neither of those are the physical or mobile authenticator, the main line of protection that is being referred to. The Dial-In and SMS are just nice additional layers of security to add to the physical or mobile.

It’s becoming pretty apparent that our naming scheme might be causing some confusion, and I apologize for that. I’ll bring the subject up with my management, so can we review both how the devices are named and how they are presented. If you have only one authenticator on your account, you want it to be the physical or mobile, not the dial-in or SMS.

You might want to reconsider implying that people with compromised accounts are buying gold with real money.
That’s definitely not what I’m saying, and I apologize if it came across that way. I meant that gold selling companies exist and compromise accounts because some players buy gold. If there was no market, there would be no companies dedicated to the market. Most people who are compromised have never bought gold.

I asked the same question earlier, however with it being a holiday weekend, and so many account compromises occurring I wouldn’t count on a quick turnaround.
We’re a 365/7 support center, so thankfully the holiday weekend shouldn’t add much of a delay.

What I don’t know is if you can play a character while a restoration is occurring. May I have a response regarding the playability of the account during the process of character restoration? (Obviously, you cannot be playing the same character you are restoring)
You don’t want to play your characters on the same realm (US, EU, ASIA) that will be rolled back, as the whole set gets rolled back at this time. However, to the best of my knowledge your characters on the other two realms are unaffected unless those realms needed to be rolled back as well.

So, let’s say you’ve been playing on the US realms only and you were compromised. You definitely shouldn’t touch the US characters until the process is complete on our end. However, since you’ve never played on the EU realm you should be completely safe in creating a character on that realm without the fear of it getting rolled back. The downside of course is that you can only play the EU character on the EU realm. Still, I wanted to point out the option. : )

I THINK it’s a java exploit
There definitely could be some Java exploits. That’s the thing though, they use everything they can, in tandem. I wasn’t aware of even half of the keylogging methods that are in use until I started working this job. We’ve been monitoring WoW compromises for years now, and while a particularly nasty vulnerability (like the Adobe Flash one I mentioned earlier) might result in a surge of compromises, the truth is that there’s never just “one thing” that’s resulting in compromises. It’s compromise by a thousand cuts, if you get my paraphrasing.

This is why we made the physical and mobile authenticators. After awhile, we realized that passwords weren’t just being stolen because of bad computer habits or poorly thought out passwords (although that happens as well). They were being stolen because of the sheer quantity of methods that the gold-selling companies were flooding the Internet with. No matter how careful you are, they may still get your password eventually, and that’s why we have the authenticator. It’s why I have one on my account right now. We even priced the physical model at cost ($6.50) so that no one could rightfully claim that we were making any money off of them.

Bottom line: We hate seeing people compromised, and having to deal with compromises also costs us a lot of money in support costs. We need either everyone to use an authenticator (physical or mobile), or no one to buy gold. Should that day come, we won’t have to worry about this anymore.

But I’m still a little confused, how come some players were initially told that their accounts hadn’t been compromised when they obviously had been? Was there a problem with your customer service department?
I’m not completely sure, to be honest. One of our systems probably just needed to be tuned a little better.

So, in other words, this blue post is just corporate bullshit to assure everyone that everything is fine and that it isn’t their fault, and that they’re doing something about it, and that your real money will be safe, and that the…

This is really good information that I wish everyone would read and I’m sure very few will, and even less will take it to heart. At one point I felt like I was invincible and that I couldn’t be hacked, but then one day it happened (not in D3). It happens. It sucks. Sometimes it really sucks. Deal with it. Get over it. Take more precautions to make sure it doesn’t happen again.

Blizzard are not “providing a backdoor”. They are allowing people (in this case thieves) to log in with the correct username and the correct password, regardless of how that username and password were obtained.

They also acknowledge that “single-factor” authentication of that kind is not particularly secure, and actively encourage the use of a multi-factor system (the “mobile authenticator”).

Blizzard can’t protect users if they decide that single-factor (password only) authentication is sufficient for their account, and then have their password compromised though a back-door provided by Adobe, Microsoft, Phishing, Trojans, SQL-injection-on-some-crappy-PHP-site-they-used-the-same-password-for etc. etc. etc.

The system has no inter-character mail, and no persistent games, right? So then is the only way to transfer items to drop them on the ground in a game with another player? And doesn’t your friends tab track who you recently played with? Wouldn’t that mean that a hacker can’t steal someone’s items without revealing the identity of the hacker’s own account? (Eventually – even if they chained items from compromised account to compromised account, the only way to get the value of the items to the hacker is eventually to use the hacker’s own account, no?)

I’m imagine they use additional hacked accounts to pass things along several times, do transfers in public games, etc, and then slap things into the AH as soon as possible, to convert them to gold, which is then further laundered. Once the items have been passed on Blizzard can’t do much, since they’d be penalizing other players who weren’t hackers and bought X and Y in the AH without knowing it was stolen.

How do Blizzard support actually know if they are hacker?
For all they know, it could be you trade with them and then ask support to recover the items.
By the way it could very well be that the account it is transfer is also hacked.

This is exactly why, when the RMAH comes online, it will require you to use an authenticator after the first time you lose your stuff. And people will complain about that too. Like everything else, folks who can’t look after themselves make life worse for everyone.

You get a time out from the RMAH the first time you’re hacked. Second time, you are banned from the RMAH until you buy an authenticator. I’m surprised they don’t just proactively ban non-authenticator RMAH use altogether.

To put it bluntly, people are seldom ever held accountable for their actions.

If someone got their Battle.net account hacked, and support discovered that they had malware/virus/trojans on their system, support should say, “Too bad. So sad. Your account is gone forever. Next time:

1) Get proper protection for your system (AV, Firewall…)
2) Quit downloading porn or warez
3) Quit being so F’in gullible and clicking on links when “Blizzard” sends you an email stating that they need your account name and password.”

I dunno man, I just got hacked, right after I’d cleaned my PC. Apparently from Indiana. And they also got my gmail through bnet. I’m confused and pissed. Luckily I didn’t anything worth shit so I only lost a few mediocre items, but still…

I never used any third party programs. I never played in a public game. I never used either auction house. All of my programs (except itunes which my wife put on the damn computer) are up-to-date. I’m not a porn-hound. I don’t download torrents or anything remotely illegal. What the heck happened? Anyone else have this experience?

Before it happened to me, I scoffed at ll the people who were complaining; I’m careful, I’m not a computer genius, but I know enough to keep malware off my computer.

When a friend of mine got hacked, he found the culprit (or a puppet of the culprit) on his friends list. So no, you’re not entirely off-base. Let’s just hope that Blizzard thought of this ahead of time and has some way to identify the problem accounts and ban them.

There’s still many spreading rumours that it’s battle.net that’s been compromised, passing it on as fact that thousands or sometimes even tens of thousands of players are posting they’ve been hacked despite their computers not being compromised. While I’m sure there’s people who’ve been compromised, the rumor spreading and fanning of flames almost seems organised.

Excellent execution, Blizzard. We go to the store and spend $60.00 + tax to buy Diablo III – a game that has been in development for years upon years. Then, we play a game with an auction house that lacks commodities at the moment and there is currently no PvP. Let u not forget that there is no RMAH at this time either. We were sold an incomplete and thrown together game. You guys really think this is an excellent, outstanding game? Game of the Year candidate? Really? This is pathetic. Accounts hacked, extreme lag, bugs, annoying quests, and you are really satisfied? You may call me nostalgic, but I wouldn’t mind a secure atmosphere to play in. If Blizzard cannot fix this, DIII will fail and prove to be the biggest FLOP ever, and everyone will go back and make a hammerdin on D2. Usually, when I spend $60.00, I expect a finished, well-polished product that lasts. This game has already began to erode, and it is still so young. Time is the greatest test – we will see.

Aww, yet another devoted Blizzard fanboy. Please try to construct a sound argument before replying. You sound like a complete idiot with the personal attacks. I have not been hacked. My computer has never had malware or trojans on it, because I know how to take care of a computer. Blizzard is wrong and at fault here, not me. They completely denied the allegations in the first blue post concerning this issue. By doing so, they called every hacked individual a liar – what a company! I’ve never had a company call its customers a liar before, whether it was implied or not. Now, good paying customers are risking being hacked and are playing an INCOMPLETE game. What about incomplete do you not understand? This is not a finished game. It will be finished when all the account hacking ends, the auction house functions at 100%, and PvP is patched. That will be a start.

I was infected once with a bootlogger program after downloading a no-cd.exe file for Crysis. I noticed it immediately and tried to remove it with no luck. Finally just re-formatted my hard drive and re-installed Windows.
It immediately returned. Took me days to eradicate it.
Turned out it could spread via flash drives, other hard drives, infected .exe files, and other computers on my home network.
So when anyone says that they are perfectly safe from malware…..then I don’t believe them.

Yep, we had a computer at work that had been compromised with e-mail account getting hacked. If there were any suspicious programs they’d been hidden well, and 5 different anti-virus and various malware programs were unable to recognize any threats. Finally we gave up and just formatted the sucker as there was no other way to eliminate the culprit.

Most people think if they run an antivirus program they’re safe. Afraid you’re not even close to being safe.

I agree that “Compromised” is the word……for now. There will be hacks and dupes eventually, people just do what you can to ensure your safety. Blizz are being really good about this and I feel some pity for them.

To my knowledge google adds picks what it wants to show based on the adds tags, the money it will generate and the type of website it is. Since this is a Diablo fansite we get adds for gaming and any adds with Blizzard tags etc.

We don’t allow links to hacks or gold sales sites in the forums, we don’t run ads for gold or item or character hacks/sellers in D2 or WoW, and we remove such ads when they show up. Elly and Rush have turned down very high bids for their entire network from gold sellers who have bought some majors WoW sites, which (amusing enough) remain in the Blizzard fansite program since the ownership is through proxies and the sites don’t run direct ads for the banned services.

If you see any such ads, take a screenshot or at least send us the URL and info about it via the send news button. We can get ads removed from the automated feed, but we have to know about them first. Everyone around the world sees different ads based on your location, time of day, etc, and they’re all auto-served, so we have no preview of the ads don’t know what you’re seeing, etc.

Blizzard should have added an authenticator with each Diablo box sold. I propose to do this with the new Wow expansion too. FYI: what struck me is that Blizzard has proof that forum posters deliberately post false information about this security to fool everyone. So sad. The only ones laughing is the gold maffia who make dozens of millions if dollars by destroying the gaming fun of players. Diablo 3 and Wow are up to an up hill battle they can never win: sick hating trolls that create fake ID’s on metacrtic, hackers that want off line playing modes so they sell illegal copies and create fake private servers, and the multi million dollars gold maffia that spew misinformation to hide their stealin (remember the lying around game ID multi player sessions). I guess these bandits even coordinate: tell Blizzard their account was stolen, then get the gold back to rerolling the avatars history….. If you still got hacked by now, you really are an idiot for not adding an authenticator.!!!

I was hacked. I didn’t have an authenticator. Even if you don’t think it’ll happen to you, you should get an authenticator, especially if you use a mobile device anyway and can get it for free. You might not think it’ll happen to you, but I didn’t think it’d happen to me. Consistant with other reports, I was cleaned out very shortly after reaching level 60 with a character, although I don’t know how long before that my account was compromised.
I don’t click on suspicious stuff, and I’ve certainly never been directly to any gold-buying websites. My biggest concern is really that scans of my machine haven’t found a thing, so I’m concerned that I may still be at risk.

Given all the attention this topic has gotten lately, I thought people might like to hear what an information security professional has to say. As someone who’s been in IT since before the franchise was launched and in Infosec since 2004, I hopefully have a relevant word or two to put in.
Bottom line is that it seems Blizzard is doing a good job, but there’s room for improvement. They claim the compromises they’ve looked into are on the player’s side, and that’s consistent with what I’ve seen in other industries and cases. But that doesn’t mean they can’t do more. Whether they should is a matter of opinion, but I’ve got some advice if they decide to up their protections more.
My full comments are here:

I’m still playing the good ol’ D2. I really don’t care about D3. The bots now also spam about D3 gold selling and powerleveling and I was curious to see how in the hell they would power level someone. In the only website I searched it was saying for the user to give them their password and disable the authenticator so they can power level you char. Dafuq? Now I don’t know if they are stupid scammers or if the players are really THAT dumb to get fooled by an obvious thing like that.
But anyway, gold and item selling is already strong in D3. Now I can laugh about fanboys that believed in all that Blizzardcrap making them think the RMAH would end the business of item stores. Why would anyone pay fees to an intermediary to handle the transaction if they are already used to buy item from legit item stores for more than 10 years already? Now I’m curious to see if alternative currencies (aka FG) will be used in D3, and I bet they will, and that will seriously screw the gold based economy.

I mentioned this in a forum post but For all those people who have gotten hacked I ask you 1 question. Do you also have or had a subscription to WoW? If I was one of these “hackers” and knew D3 was coming out with a RMAH and the fact hey 1 year WoW sub gets you D3 and lets be honest there is somewhere a big database of valid user/pass of WoW subscribers that hey they just might have D3 play it and have gold/items I can strip to resell on that RMAH at a later time.

Not saying those who do, have bought “services” for WoW or did anything different to compromise their accounts, but considering its just 1 user/pass for all their games… *shrug*
I’m sure they have backup accounts they don’t compromise at that very moment often with WoW subs for later use… Just saying something to think about…

I just finished changing all of my info after my account was compromised. I had both the Dial-in Authenticator and SMS messages activated naively thinking the “green checkmarks” next to both my security options in Battle.net would be enough. I don’t play WoW, no virus, and definitely not level 60.

I have 5 characters on D3. My highest level character is a lvl 16 and I had about 12k gold. They cleaned out the inventory, stash, and gold of the last character I had logged in with but none of the inventories of my others. My guess is some robot guessed at my password, but who knows. I have since changed my password, removed the Dial-in authenticator and switched to the mobile authenticator. I’ve started a Support Ticket and can only hope they’re able to roll back my characters to pre-theft. But, if not, it’s really no big loss. I had barely even started Act 2. My other characters had better gear anyhow… guess I was lucky there 😐

If one gets hacked its either a kid or a stupid idiot -_- End of discussion.

One can not get hacked if it does not share pass or acc info and uses an authenticator. Also if you use 3rd party software – to make you dear Diablo screen have darker tones…then you qualify for the second category >> that is stupid idiots.
Do not give me the >> but I do not enter any suspicious sites, I do not show off on forums compromising my account etc. bullshiet.

Yeah, it’s pretty black and white, no grey in this argument. Every adult that gets hacked is a stupid idiot. 😆

See, the problem with your reasoning of “One can not get hacked if it does not share pass or acc info and uses an authenticator” is that:
a) I never share my account info
b) According to Battle.net I had two green check marks next to my security profile: 1) Dial-In Authenticator (notice the word Authenticator) and SMS Messaging

In retrospect I recognize that the Mobile Authenticator and Dial-In Authenticator are in two TOTALLY different leagues. Not because I wasn’t paying attention, I simply chose one of two Authentication methods supplied. I have seen it suggested that they change the name for the Dial-In so it’s not considered an Authenticator. I would highly support this change. Because what they really have is one legit Authenticator (in multiple physical forms), and several notification systems for when you get hacked (although none of the alarms/texts/e-mails/dial-ins went off during or after my account being compromised).

Y’know how I could prevent my game account from being compromised? My single player game? By not having it require a fr’n on line profile attached to it. I’d be perfectly happy with a single-player-only character, no AH, no accomplishments, no mutliplayer. Would never be hacked. Man, what an innovative idea.

This is just the beginning of a bigger problem yet to come when the RMAH update gets here. You watch and see how many accounts get compromised and their real money gets stolen. What will Blizzard say then ? It is your fault again ?

Mhh, strange. I was hacked too, a char and the stash was completly empty and i HAVE/HAD the mobile authenticator activated. No password change, no message on my mobil. So, whats wrong? Anybody must know both, my battlenet email adrss AND the password. Nor clicked on emails or somethings else. And believe me, i surly played in public games and screamed around my email and pw.
So, whats up blizz, how can they catch this information? For me, i feel absolutly not secure atm.
Thumbs up for the support. Fast reply, fast help with an rollback. So i lost time, but not all items and my playtime…
We will see,i hope they adress the issue very fast.

I was hacked by a backdoor application. A trojan got through my anti-virus shield and allowed remote access by an external user. Unfortunately, I’d left my D3 account logged in, so the hacker didn’t even need to crack through my password and authenticator. I felt the need to post because I do in fact have Authenticator set to \always ask\, so don’t feel safe behind it.